CVE-2025-43795
Description
Open redirect vulnerability in the System Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_configuration_admin_web_portlet_SystemSettingsPortlet_redirect parameter.
Open redirect vulnerability in the Instance Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_configuration_admin_web_portlet_InstanceSettingsPortlet_redirect parameter.
Open redirect vulnerability in the Site Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_site_admin_web_portlet_SiteSettingsPortlet_redirect parameter.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay:com.liferay.configuration.admin.webMaven | >= 2.0.7, < 5.0.76 | 5.0.76 |
com.liferay:com.liferay.site.admin.webMaven | >= 2.0.4, < 5.0.103 | 5.0.103 |
Affected products
2- Liferay/DXPv5Range: 7.3.10
Patches
21 file changed · +23 −22
portal-impl/src/com/liferay/portlet/internal/PortletContainerImpl.java+23 −22 modified@@ -532,38 +532,39 @@ private ActionResult _processAction( String redirectLocation = liferayActionResponse.getRedirectLocation(); - if (Validator.isNull(redirectLocation)) { - if (portlet.isActionURLRedirect()) { - PortletURL portletURL = null; + if (Validator.isNotNull(redirectLocation)) { + return new ActionResult( + events, PortalUtil.escapeRedirect(redirectLocation)); + } - if (portletApp.getSpecMajorVersion() < 3) { - portletURL = PortletURLFactoryUtil.create( - liferayActionRequest, portlet, layout, - PortletRequest.RENDER_PHASE); + if (!portlet.isActionURLRedirect()) { + return new ActionResult(events, null); + } - Map<String, String[]> renderParameters = - liferayActionResponse.getRenderParameterMap(); + PortletURL portletURL = null; - for (Map.Entry<String, String[]> entry : - renderParameters.entrySet()) { + if (portletApp.getSpecMajorVersion() < 3) { + portletURL = PortletURLFactoryUtil.create( + liferayActionRequest, portlet, layout, + PortletRequest.RENDER_PHASE); - portletURL.setParameter( - entry.getKey(), entry.getValue()); - } - } - else { - portletURL = PortletURLFactoryUtil.create( - liferayActionRequest, portlet, layout.getPlid(), - PortletRequest.RENDER_PHASE, MimeResponse.Copy.ALL); - } + Map<String, String[]> renderParameters = + liferayActionResponse.getRenderParameterMap(); - redirectLocation = portletURL.toString(); + for (Map.Entry<String, String[]> entry : + renderParameters.entrySet()) { + + portletURL.setParameter(entry.getKey(), entry.getValue()); } } else { - redirectLocation = PortalUtil.escapeRedirect(redirectLocation); + portletURL = PortletURLFactoryUtil.create( + liferayActionRequest, portlet, layout.getPlid(), + PortletRequest.RENDER_PHASE, MimeResponse.Copy.ALL); } + redirectLocation = portletURL.toString(); + return new ActionResult(events, redirectLocation); } finally {
81b2bdf2f48dLPS-196525 escape redirect while getting redirectLocation from an external site
1 file changed · +24 −21
portal-impl/src/com/liferay/portlet/internal/PortletContainerImpl.java+24 −21 modified@@ -532,33 +532,36 @@ private ActionResult _processAction( String redirectLocation = liferayActionResponse.getRedirectLocation(); - if (Validator.isNull(redirectLocation) && - portlet.isActionURLRedirect()) { + if (Validator.isNull(redirectLocation)) { + if (portlet.isActionURLRedirect()) { + PortletURL portletURL = null; - PortletURL portletURL = null; + if (portletApp.getSpecMajorVersion() < 3) { + portletURL = PortletURLFactoryUtil.create( + liferayActionRequest, portlet, layout, + PortletRequest.RENDER_PHASE); - if (portletApp.getSpecMajorVersion() < 3) { - portletURL = PortletURLFactoryUtil.create( - liferayActionRequest, portlet, layout, - PortletRequest.RENDER_PHASE); - - Map<String, String[]> renderParameters = - liferayActionResponse.getRenderParameterMap(); + Map<String, String[]> renderParameters = + liferayActionResponse.getRenderParameterMap(); - for (Map.Entry<String, String[]> entry : - renderParameters.entrySet()) { + for (Map.Entry<String, String[]> entry : + renderParameters.entrySet()) { - portletURL.setParameter( - entry.getKey(), entry.getValue()); + portletURL.setParameter( + entry.getKey(), entry.getValue()); + } + } + else { + portletURL = PortletURLFactoryUtil.create( + liferayActionRequest, portlet, layout.getPlid(), + PortletRequest.RENDER_PHASE, MimeResponse.Copy.ALL); } - } - else { - portletURL = PortletURLFactoryUtil.create( - liferayActionRequest, portlet, layout.getPlid(), - PortletRequest.RENDER_PHASE, MimeResponse.Copy.ALL); - } - redirectLocation = portletURL.toString(); + redirectLocation = portletURL.toString(); + } + } + else { + redirectLocation = PortalUtil.escapeRedirect(redirectLocation); } return new ActionResult(events, redirectLocation);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-m55r-9fx8-725jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-43795ghsaADVISORY
- github.com/liferay/liferay-portal/commit/81b2bdf2f48dbd467718ccc95c5bba31e5985fabghsaWEB
- github.com/liferay/liferay-portal/commit/cf23864f2b7a0e346f42961e0ad6c7ef5facb2b4ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43795ghsaWEB
News mentions
0No linked articles in our index yet.